[Zope-dev] CSRF protection for z3c.form

Shane Hathaway shane at hathawaymix.org
Mon Apr 4 13:54:09 EDT 2011


On 04/04/2011 10:22 AM, Roger wrote:
> Just because you can write login forms with
> z3c.form this package has nothing to do with
> authentication. That's just a form framework!
>
> Authentication is defently not a part
> of our z3c.form framework and should not
> become one.
>
> Why do you think authentication has something
> to do with the z3c.form library? Did I miss
> something?

This thread is using the word authenticate differently than most other 
Zope-related discussions.  Here, we are authenticating the *form*, not 
the user.  We need to be sure that submitted form data was produced by 
an authentic form.  Otherwise, a crafty site could cause the user's 
browser to invoke some action in the background.

BTW, the CSRF issue has existed as long as HTML forms have existed, but 
for some reason it has only drawn attention in the past year or two.

Shane


More information about the Zope-Dev mailing list